HIPAA Online File and Data Storage Hosting
Trusted By Over 15,000 Businesses
Our HIPAA cloud storage is fully audited and compliant with HIPAA and HITECH requirements, providing data storage and sharing for growing organizations.
Our cloud storage is ideal for mission-critical applications without compromising speed, security and reliability; it’s ideal for storing large datasets, file transfer, file storage, online storage, imaging, and health records that require encryption. You have the option to choose a dedicated or a cloud storage platform – Atlantic.Net provides a full suite of storage solutions with best-in-class managed security services.
Atlantic.Net’s Secure Block Storage (SBS) is easy to use, highly redundant, easily accessible, and scalable. The system is ideal for running mission-critical applications that require robust and scalable block storage, as well as for running queries on databases that require low latency and high performance in a cloud storage environment. For more information, click here to learn more about our Secure Block Storage (SBS).
Whether you need HIPAA storage scalability, geographic redundancy, reliable backup/data mirroring, or deduplication services to reduce your data footprint and costs, Atlantic.Net delivers all this plus the stability and security of working with an expert provider able to deliver advanced HIPAA storage solutions.
Looking for HIPAA Compliant Hosting?
We Can Help with a Free Assessment.
Ensures internal controls and best practices for physical security, availability, processing integrity, confidentiality, and privacy.
Ensures that our processes, policies, facilities, and hosting solutions comply with the latest HIPAA Audit Protocols.
Stringent testing that continues to expand to comply with HITECH Act policies and protocols.
First know that the Cloud Computing Guidelines from the HHS state explicitly that cloud computing can be used for HIPAA compliant platforms: “[W]hile a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.), provided it enters into a BAA [(business associate agreement)] with the CSP [(cloud service provider)], the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.”
Along with its reference to the need for a prudent BAA, the HIPAA rules also point to the importance of the service level agreement (SLA) to focus on data backup and disaster recovery; reliability and availability; limitations related to use or disclosure; how data will be transferred back to the customer if they depart; and adherence to required security precautions. Guidelines for the last element are within the Security Rule (part of HIPAA Title II, the Administrative Simplification Provisions).
If you want to abide by the Security Rule and properly protect the data, the cloud platform you choose should encrypt data whether it is in-transit or at-rest.
The cloud service provider’s system should also encrypt all data for backup, both during transmission and once stored. Each HIPAA compliant backup should be encrypted with yet another set of keys for the best possible compliance solution. The best HIPAA compliant cloud storage specifically approaches encryption with a 512-bit key determined with a sha256 hash algorithm delivered in XTS-plain64 cipher mode that abides by the AES-256 standard. Related to the 512 bits, 256 of them (half) are used for each of two keys (cipher and XTS).
A key management service (KMS) should be used that utilizes peer-to-peer replication. The KMS is a chief issue because, at a large scale, it can become unmanageable to rapidly encrypt, store, and decrypt data. The KMS that is implemented for the best HIPAA compliant cloud storage serves as a centralized access control while providing simple monitoring and logging. The key encryption key should be changed routinely, every 3 months. Multiple sets of keys should be stored. The best HIPAA compliant cloud storage uses an active KEK for encryption and formerly active KEK sets for decryption. Access to the KEK sets should be at the level of each individual key, via a control list. The ability to access keys should be limited to users and services that are authenticated. All requests should be logged.
For more information about our HIPAA Compliant Storage Solutions, please contact us today!
This page was updated with the latest information on April 30, 2019.
Our Technology Partners
Business Associate Agreement
Intrusion Prevention Service
Fully Managed Firewall
File Integrity Monitoring
Log Management System
Highly Available Bandwidth
Linux & Windows Servers
Our Data Centers Certifications
Dedicated to Your Success
– Jason Coleman
VP of Information Technology, Orlando Magic
"After evaluating a range of managed hosting options to support our data operations, we chose Atlantic.Net because of their superior infrastructure and extensive technical knowledge."
- Erin Chapple
General Manager for Windows Server, Microsoft Corp.
"Atlantic.Net’s support for Windows Server Containers in their cloud platform brings additional choice and options for our joint customers in search of flexible and innovative cloud services."
Contact an advisor at 888-618-DATA (3282) or fill out the form below.
File storage is one of the key concerns of HIPAA. Here are ten recommendations to guide your adoption of systems that meet parameters of the federal healthcare law.
Understanding the scope of protected health information (PHI) is a key first question, since this will determine if the healthcare law is relevant or not. If the data has been de-identified, it is no longer PHI, because PHI is personally identifiable. (Electronic PHI is also called ePHI.) Typically, in order for a cloud provider or other firm to sign a business associate agreement (BAA) with a covered entity, they will demand that ePHI be encrypted in order to store it. Note that the Department of Health and Human Services has clarified a BAA is necessary for all relationships that involve PHI, even if the data is encrypted and the provider does not have a key.
Many cloud providers and other vendors will indicate that their systems are “HIPAA-compliant.” Keep in mind that all a provider can do is establish a setting that permits HIPAA-compliant data treatment. The organization that is using a cloud system will ultimately determine if the method is compliant since a big part of HIPAA is following the rules for use and configuration that adhere to administrative safeguards.
A strong HIPAA-compliant setting is built on following the mandates of the Security Rule, which puts the rights of the Privacy Rule into effect through the requirement to implement administrative, technical, and physical safeguards to protect ePHI.
Compliance with the HIPAA Security Rule is achieved through the following steps:
See below on risk assessment, another requirement of the Security Rule.
You must use encryption (or an equivalent alternative) for any data exchanges between the cloud and other systems, including your onsite and cloud-hosted apps. FIPS-14-2 encryption is the standard to use for transmission of ePHI. There should also be at-rest encryption in place for local hard drives, storage area networks (SANs), and backups.
Risks to any system used for HIPAA-compliant file storage should be analyzed routinely. The steps to that process are as follows:
Risk assessment should be viewed as an effort toward continuous improvement, embedded in a compliance culture with ongoing refinement of security awareness.
Often, rules for HIPAA-compliant file storage are needed related to relationships with outside entities, particularly cloud service providers (CSPs). While cloud may seem intrinsically problematic for compliance due to its offsite nature, its security has been advocated by many. As early as 2014, researchers were presenting models for HIPAA-compliant hybrid clouds.
As adoption of cloud technology increases, healthcare organizations must control their partner relationships to protect ePHI in the cloud – and the HHS actually provides guidance specific to cloud. Business associates and covered entities that decide to store their data with cloud providers or other third-party vendors (e.g. dedicated hosting and colocation scenarios) should understand the provider’s system for its own risk analysis, which should in turn help develop its risk management policy and the terms of the BAA.
Whether you are a covered entity or a business associate, HIPAA compliance mandates a study or assessment of all health data you store – as well as that which you produce, send, and receive – to ensure maintenance of its availability, integrity, and confidentiality. The connection between the risk analysis and business associate agreements cannot be understated, especially in the context of cloud: the HHS noted directly that public, private, and hybrid clouds can all be HIPAA compliant as long as a BAA is signed, with “the type of cloud configuration… [affecting] the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.”
Be sure that the service-level agreement from any storage provider is aligned with the needs of HIPAA compliance. For example, if the cloud provider is not guaranteeing near-100 percent uptime, the covered entity could, in turn, not be meeting the availability requirement. The SLA should also address safeguards related to ransomware.
There should be continuous, around-the-clock monitoring of the HIPAA systems managed by a cloud provider to guard against unauthorized access. With oversight of the systems in place at all times, reliability becomes stronger, and the covered entity or business associate is able to respond quickly to any emergent security events.
Whether you are using a cloud environment or your own, training is critical to compliance. With a Verizon study (released in March 2018) finding that more than half of healthcare breaches were due to the insider threat, it is key to know that your employees understand how to stay compliant – especially since error is the #1 reason for insider breaches. The 2017 Data Breach Investigation Report, which determined this figure through analysis of 1368 security events, found that top insider threats were:
Employees of business associates should receive regular training on data security and compliance as well.
HIPAA – and its updated scope under HITECH – are not the only regulatory concerns when considering healthcare file storage. There may be other law that applies as well, based on the type of information, nature of parties to the contract, and terms of the agreement related to data use and storage.
Other regulations to address to determine possible need for additional compliance are the General Data Protection Regulation (GDPR) from the European Union; personal data privacy rules from the Federal Trade Commission; confidentiality stipulations within “Confidentiality of Substance Use Disorder Patient Records” (Code of Federal Regulations Part 2, Title 42); and state law directing the use and storage of health information.
Storing your files in a HIPAA-compliant manner requires careful consideration of the parameters of the law and the ways in which the organization is specifically adhering to its requirements for comprehensive safeguards. At Atlantic.Net, our infrastructure is fully audited and compliant with HIPAA and HITECH, as well as adherent with SSAE 18 (formerly SSAE 16) from the American Institute of Certified Public Accountants.
© 2019 Atlantic.Net, All Rights Reserved.